Microsoft Graph API - Patch user (permission issue for Application Token)

3
votes

I am updating an user's password via nodejs-graph-API application(with Application token) with below endpoint

PATCH /users/{userId}

{
  passwordProfile: {
    forceChangePasswordNextSignIn: true,
    password: newPassword,
 }

I provided all the application, delegated access

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

I do have two tenants (one for dev and another one for prod) in dev tenant things working fine but it failing in prod tenant

Error:

Error: Could not update password. Error: Authorization_RequestDenied

Permission screen enter image description here

enter image description here

enter image description here

1
node.jsmicrosoft-graph-apimicrosoft-graph-teams
Try giving your App the Global Admin role and see if you can update the user or not?Shiva Keshav Varma
@ShivaKeshavVarma already its there, attached new image to description. App admin, Cloud App admin, reports readerSuresh
Suresh, Please give the global administrator role only, not App admin, Cloud App admin, reports reader.Shiva Keshav Varma
@ShivaKeshavVarma any idea like how much time it takes for permission to propagate? One more than how its working my another tenant where there is no global admin permissionSuresh
@ShivaKeshavVarma providing Global Admin Role worked out but I am in a situation where I shouldn't use it (instead should provide appropriate one)Suresh

1 Answers

2
votes

There are few cases where we cannot modify other user's data simply like that. Not just the permissions of API modify but also we need to be having a proper role to do some operation. As we are modifying the other user's password we should be having the highest or related role that can do it. I used to give Global Admin role which worked in my case.

As @Suresh suggested we can also use Authentication administrator role as it worked for him.

For permission to add to application may take few seconds time as it depends on different factors like internet etc.,